View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 29, 2022

Utility companies most at risk of cyberattack – Moody’s

Water and power companies are attractive targets for hackers, even though the rewards can be relatively low.

By Ryan Morrison

Utility companies and hospitals are coming under increasing risk of cyberattack, according to a report by credit ratings agency Moody’s. In its first update to the Cyber Risk Heatmap since 2019, the agency found water companies were among the most at risk of any sector. While the financial reward for attacking a water or electricity company was relatively low, they often have minimal security measures in place, making them attractive targets.

Water companies were at the most risk of cyberattack, according to Moody’s. This was due to lower levels of risk management. (Photo by Avatar_023/Shutterstock)

The report looks at the cyber risk across more than 70 sectors of the economy, scoring each on a scale of low, moderate, high or very high risk of cybersecurity exposure, set against any mitigation taken by organisations in that sector.

Working with data gathered by BitSight Technologies, a cyber ratings company, the team of analysts found there had been a notable rise in mitigation since the previous report, with organisations investing in cybersecurity and risk management technologies.

Moody’s considered the level of debt within each sector to weigh the economic impact of any major cyberattack, finding that $22trn of the $80trn it rated has a high or very high cyber risk exposure. This is up about $1trn on the 2019 heat map on a similar level of rated debt.

The sectors most at risk weren’t necessarily those with the highest level of debt exposure or the most to lose financially but rather those least likely to have good risk mitigation in place.

“We scored water and waste water utilities as very high this year compared to a moderate in 2019,” Moody’s senior analyst and author of the report, Steven Libretti, told Tech Monitor. “While the very high score this year is not all that surprising, the movement itself is.”

Cyberattacks: low reward targets are at higher risk

Of the more than 70 sectors studied, Moody’s found the top four were all utilities and the fifth was not-for-profit hospitals, which Libretti says was likely due to them being attractive and high-profile targets for cybercriminals.

“When looking at these utilities, we find them to be often very small uncomplex entities that are highly attractive targets,” he explains. “They often have less advanced cyber risk mitigation strategies including less developed perimeter vulnerability management programs and less advanced cyber risk management practices.”

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

The utilities and hospitals were followed by banks, telecom companies, chemical suppliers and transportation services in terms of level of risk, with those in construction and agriculture at the lower end of the risk scale.

“Cyber risk is rising. However, we are witnessing correlated growth in robust security program investments, as industries prioritise the need to assess and quantify the risk to inform key strategy decisions, mitigate supply chain risk, and ensure investor confidence,” said Libretti.

Derek Vadala, chief risk officer for BitSight said it graded the risk by looking at open ports and patching cadence datasets within each sector. “Poor patching cadence, for example, is strongly correlated with a significantly higher risk of ransomware.”

“Continued focus on improving basic cyber hygiene and vulnerability management performance can measurably reduce the risk of experiencing a business-impacting incident,” Vadala added.

Digitisation poses cybersecurity risk

Moody’s had no way to directly measure investment in cybersecurity, but found that certain sectors were weaker than others using the BitSight analysis. The worst offenders were the utilities, education, media, entertainment and publishing companies.

Libretti wouldn’t be drawn on whether the predicted recession would have any impact on the level of investment made in cybersecurity or whether it would lead to a greater degree of cyberattack in future, but some future technologies could have an impact.

Three-quarters of the debt covered in the report was linked to sectors of the economy that scored high or very high on digitisation risk, this is risks linked to digital transformation of systems, processes, information and networks.

It gives the example of the cyberattack on SolarWinds in 2020 as a way a digitisation risk can affect one company and spread to other organisations. Attacks injected malicious code into a software update that SolarWinds sent out to customers, allowing the code to enter customers’ networks and giving the attackers access.

The sectors most at risk from the digitisation process are banks, technology and software companies, telecommunication companies and those working in insurance.

Read more: CISOs on the board – how the security role is evolving

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU